Malware analysis and network traffic techniques for CTF challenges.
Works with
Covers script deobfuscation (JavaScript, PowerShell, base64/hex decoding), YARA rule writing, shellcode analysis with Unicorn Engine and Capstone, and memory forensics using Volatility 3 (malfind, process injection detection)
Includes PE and .NET binary analysis (peframe, dnSpy, AsmResolver), malware configuration extraction, and sandbox evasion detection (VM detection, timing checks, API hashing)
Provides C2 traffic
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionctf-malwareExecute the skills CLI command in your project's root directory to begin installation:
Fetches ctf-malware from ljagiello/ctf-skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate ctf-malware. Access via /ctf-malware in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Create detailed user stories, acceptance criteria, and feature specs
Example
Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios
Reduce spec writing time by 50%, ensure comprehensive coverage
Research competitors, compare features, identify gaps
Example
Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities
Complete competitive research in 2 hours instead of 2 days
Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs
Example
Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale
0
total installs
0
this week
1.1K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
1.1K
stars
Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.
Python packages (all platforms):
pip install yara-python pefile capstone oletools unicorn pycryptodome \
volatility3 dissect.cobaltstrike
Linux (apt):
apt install strace ltrace tshark binwalk binutils
macOS (Homebrew):
brew install wireshark binwalk binutils ghidra
Manual install:
/ctf-reverse./ctf-forensics./ctf-osint.# Static analysis
file suspicious_file
strings -n 8 suspicious_file | head -50
xxd suspicious_file | head -20
# PE analysis
python3 -c "import pefile; pe=pefile.PE('mal.exe'); print(pe.dump_info())" | head
peframe mal.exe
# Dynamic analysis (sandboxed!)
strace -f -s 200 ./suspicious 2>&1 | head -100
ltrace ./suspicious 2>&1 | head -50
# Network indicators
strings suspicious_file | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
strings suspicious_file | grep -iE 'http|ftp|ws://'
# YARA scan
yara -r rules.yar suspicious_file
eval/bash with echo to print underlying code; extract base64/hex blobs and analyze with file. See scripts-and-obfuscation.md.eval with console.log, decode unescape(), atob(), String.fromCharCode().-enc base64, replace IEX with output. See scripts-and-obfuscation.md.call targets. See scripts-and-obfuscation.md.tshark -r file.pcap -Y "tcp.stream eq X" -T fields -e tcp.payload
Look for C2 on unusual ports. Extract IPs/domains with strings | grep. See c2-and-protocols.md.
tcprewrite, add RSA key for TLS decryption, find RC4 key in binary. See c2-and-protocols.md.0x637c777b S-box; ChaCha20: expand 32-byte k; TEA/XTEA: 0x9E3779B9; RC4: sequential S-box init. See c2-and-protocols.md.peframe malware.exe # Quick triage
pe-sieve # Runtime analysis
pestudio # Static analysis (Windows)
See pe-and-dotnet.md.
VM detection (CPUID, MAC prefix, registry, disk size), timing evasion (sleep/RDTSC sandbox detection), API hashing (ROR13/DJB2/CRC32 + hashdb lookup), process injection (hollowing, APC, CreateRemoteThread), environment checks. See scripts-and-obfuscation.md.
Diff malicious plugin against official release to find injected code in try/except blocks. Custom alphabet rotation (C[(C.index(ch) - offset) % len(C)]) decodes C2 domain, XOR decodes endpoint path. See scripts-and-obfuscation.md.
pyinstxtractor.py to extract, PyArmor-Unpacker for protected code. See pe-and-dotnet.md.getUpdates and getFile APIs. See c2-and-protocols.md.ar -x package.deb && tar -xf control.tar.xz # Check postinst scripts
See scripts-and-obfuscation.md.
Write YARA rules to match byte patterns, strings, and regex against files or memory dumps. Detect XOR loops ({31 ?? 80 ?? ?? 4? 75}), base64 blobs, encoded PowerShell. Use yarac to compile for faster scanning. See scripts-and-obfuscation.md.
Disassemble with objdump -b binary -m i386:x86-64, emulate with Unicorn Engine (hook syscalls safely), or use Capstone for programmatic disassembly. Look for XOR decoder stubs. See scripts-and-obfuscation.md.
vol3 windows.malfind detects injected code (PAGE_EXECUTE_READWRITE without mapped file). windows.pstree reveals suspicious parent-child relationships. YARA scan memory with yarascan.YaraScan. See scripts-and-obfuscation.md.
strings malware | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u
Make data-driven prioritization decisions faster
Draft PRDs, status updates, and stakeholder presentations
Example
Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement
Save 3-5 hours/week on communication overhead
Prerequisites
Time Estimate
30-60 minutes to see productivity improvements
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
✗ Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
mattpocock/skills
parcadei/continuous-claude-v3
cursor/plugins
ailabs-393/ai-labs-claude-skills
pproenca/dot-skills
mattpocock/skills
Registry listing for ctf-malware matched our evaluation — installs cleanly and behaves as described in the markdown.
I recommend ctf-malware for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
We added ctf-malware from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
ctf-malware fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Solid pick for teams standardizing on skills: ctf-malware is focused, and the summary matches what you get after install.
We added ctf-malware from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
ctf-malware is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
ctf-malware reduced setup friction for our internal harness; good balance of opinion and flexibility.
Useful defaults in ctf-malware — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Keeps context tight: ctf-malware is the kind of skill you can hand to a new teammate without a long onboarding doc.
showing 1-10 of 49